Seven vulnerabilities found through Mega’s security bounty program

Mega really wants you to know it's safe...

Since Kim Dotcom debuted his Mega service, security experts (Ars included) let out a collective "huh?!?" regarding some of the risks taken by the digital locker site—its use of deduplication, the security of its encryption keys, etc. Dotcom heard the message loud and clear. Two weeks after launching, he responded to criticism by offering up to €10,000 ($13,362) to anyone who could break the site's security.

This weekend, Mega reported its first batch of successful challengers. Seven vulnerability fixes were highlighted on the Mega blog—several thousand dollars worth of fixes, if Dotcom makes good on his promise. (The post did not reveal who the successful hacks came from, much less whether they got paid.)

Along with describing the discoveries and fixes, Mega outlined six levels of vulnerabilities it uses for its security program. These range from level one ("All lower-impact or purely theoretical scenarios") to level six ("Fundamental and generally exploitable cryptographic design flaws"). The seven newly identified vulnerabilities ranged from level one through level four (class descriptions added within brackets):

Read 2 remaining paragraphs | Comments